Re: SECURITY.NNOV: directory traversal and path globing in multiple archivers

["Andreas Marx" <amarx () gega-it de>]

Hello,

the ".." bug and how it can be exploited is quite old, so I was 
wondering that the newer packer programs still have it. :-(

Network Associates ( http://www.nai.com ) has found a virus in mid-
2000 called "Bat/Winrip", which uses such a way to replicate. After 
the virus has been found by the German NAI Office, some warnings 
were send out to both other av companies as well as developers of 
packer programs. But it sems that only a few people have taken 
steps against this issue in their programs.

The most interesting issue in this virus was, that it was able to 
replicate using the extraction routine of a virus scanner: Some 
scanners still extract every file of an archive to disk first (like to 
C:\TEMP) and after this, they look for a virus inside of this 
unzipped file.

Some virus scanners used external unpackers or special DLL 
routines for doing this - both using the full path and accepting ".." 
or "\". Currently, this should have changed now - some still extract 
the files first (which is relatively slow, so scanning everything in 
memory is more effective), but usually using a random 
file name and/or ignoring path statements as far as I know.

The trick of the WinRip virus was to drop itself to the autostart folder: 
"\winnt\profiles\default user\start menu\programs\startup\winrip.bat". After a 
reboot (and if this was really the 'correct' folder!) the virus could activate...

I can remember about this virus very good, since I've been written a longer 
article about this virus and the security-related issue for the PC-WELT 
magazine in German language ( http://www.pcwelt.de/ratgeber/online/15968/ ).

cheers,
Andreas Marx
AV-Test.org - Tests of Anti-Virus Programs

-- 
Andreas Marx, amarx () gega-it de, http://www.av-test.org
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469